Istio 1.13 Change Notes
Istio 1.13.0 change notes.
Added an API (CRD) for configuring
ProxyConfigvalues containing a stable subset of the configuration from
Added support for hostname-based multi-network gateways for east-west traffic. The hostname will be resolved in the control plane and each of the IPs will be used as an endpoint. This behavior can be disabled by setting
RESOLVE_HOSTNAME_GATEWAYS=falsefor istiod. (Issue #29359)
Added support for rewriting gRPC probes.
Added a feature flag
PILOT_LEGACY_INGRESS_BEHAVIOR, default to false. If this is set to true, Istio ingress will perform the legacy behavior, which does not meet the Kubernetes specification. (Issue #35033)
Added support for listeners to balance between Envoy worker threads via
proxyMetadata. (Issue #18152)
WorkloadGroupto v1beta1. (Issue #25652)
Improved istio-agent health probe rewrite to not re-use connections, mirroring Kubernetes’ probing behavior. (Issue #36390)
Improved the default
PILOT_MAX_REQUESTS_PER_SECOND, which limits the number of new XDS connections per second, to 25 (from 100). This has been shown to improve performance under high load.
Updated the control plane to read
Endpointsfor service discovery for Kubernetes 1.21 or later. To switch back to the old
Endpointsbased behavior set
Fixed an issue where specifying conflict protocols for a service target port will cause unstable protocol selection for that port. (Issue #36462)
Fixed an issue where scaling endpoint for a service from 0 to 1 might cause client side service account verification to be populated incorrectly. (Issue #36465 and #31534)
Fixed an issue where the
TcpKeepalivesetting at mesh config is not honored. (Issue #36499)
Fixed an issue where stale endpoints can be configured when a service gets deleted and created again. (Issue #36510)
Fixed an issue where istiod crashes if prioritized leader election (controlled via
PRIORITIZED_LEADER_ELECTIONenv variable) is disabled. (Issue #36541)
Fixed an issue that sidecar iptables will cause intermittent connection reset due to the out of window packet. Introduced a flag
meshConfig.defaultConfig.proxyMetadata.INVALID_DROPto control this setting. (Issue #36566)
Fixed an issue where an in-place upgrade will cause TCP connections between a <1.12 proxy and a 1.12 proxy to fail. (Issue #36797)
Fixed an issue where
EnvoyFilterwith ANY patch context will skip adding new clusters and listeners at gateway.
Fixed an issue causing HTTP/1.0 requests to be rejected (with a
426 Upgrade Requirederror) in some cases. (Issue #36707)
Fixed an issue where using
ISTIO_MUTUALTLS mode in Gateways while also setting
credentialNamecause mutual TLS to not be configured. This configuration is now rejected, as
ISTIO_MUTUALis intended to be used without
credentialNameset. The old behavior can be retained by configuring the
PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME=trueenvironment variable in Istiod.
Fixed an issue where changes in a delegate VirtualService do not take effect when RDS cache is enabled. (Issue #36525)
Fixed an issue causing mTLS errors for traffic on port 22, by including port 22 in iptables by default. (Issue #35733)
Fixed an issue causing hostnames overlapping the cluster domain (such as
example.local) to generate invalid routes. (Issue #35676)
Fixed an issue that if duplicated cipher suites were configured in Gateway, they were pushed to Envoy configuration. With this fix, duplicated cipher suites will be ignored and logged. (Issue #36805)
Added TLS settings to the sidecar API in order to enable TLS/mTLS termination on the sidecar proxy for requests coming from outside the mesh. (Issue #35111)
Promoted authorization policy dry-run mode to Alpha. (Issue #112)
Fixed a couple of issues in the ext-authz filter affecting the behavior of the gRPC check response API. Please see the Envoy release note for more details of the bug fixes if you are using authorization policies with the ext-authz gRPC extension provider in Istio. (Issue #35480)
Added configuration for selecting service name generation scheme in Envoy-generated trace spans. (Issue #36162 and #12644)
Added Common Expression Language (CEL) filter support for access logs. (Issue #36514)
Added access logging providers and controls for access log filtering to the Telemetry API.
Added an option to set whether the Request ID generated by the sidecar should be used when determining the sampling strategy for tracing.
Added configurable service-cluster naming scheme support. (Issue #36162)
JWKSrequests are now logged with truncation to 100 characters. (Issue #35663)
Added a privileged flag to Istio-CNI Helm charts to set
securityContextflag. (Issue #34211)
Removed support for a number of nonstandard
kubeconfigauthentication methods when using multicluster secrets.
Updated istiod deployment to respect
values.pilot.nodeSelector. (Issue #36110)
Fixed an issue where the in-cluster operator can’t prune resources when the Istio control plane has active proxies connected. (Issue #35657)
Fixed omission of the
.Values.sidecarInjectiorWebhook.enableNamespacesByDefaultsetting in the default revision mutating webhook, and added
istioctl tagcontrolling this setting. (Issue #36258)
Fixed an issue where setting
includeInboundPortswith Helm values did not take effect. (Issue #36644)
Fixed an issue that was preventing the Helm chart to be used as a chart dependency. (Issue #35495)
Fixed that the Helm chart generated an invalid manifest when given boolean or numeric values for environment variables. (Issue #36946)
Fixed detection of
prometheus.io.scrapeannotations when merging metrics. (Issue #31187)
istioctl analyzewill display a warning when service of type ExternalName have invalid port name or port name is tcp. (Issue #35429)
Added log options to
istioctl installto prevent unexpected messages. (Issue #35770)
CLUSTERcolumn in the output of
Added the global wildcard pattern match for the bug report
Added the output format flag to
IstioOperatorfiles. (Issue #36472)
istioctl analyzenow supports
--ignore-unknown, which suppresses errors when non-k8s yaml files are found in a file or directory. (Issue #36471)
Added stats command
istioctl experimental envoy-statsfor retrieving istio-proxy envoy metrics.
--durationflag never gets used in the
Fixed using flags in
istioctl bug-reportresults in errors. (Issue #36103)
operator init --dry-runcreates unexpected namespaces.
Fixed error format after json marshal in virtual machine config. (Issue #36358)
- Fixed formatting of the telemetry configuration reference page.